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VOLUME  X 
IN  THE  UNITED  STATES  ARMY 

UNITED  STATES 
VS. 

MANNING,    Bradley  E.,    PFC  COURT-MARTIAL 
U.S.   Army,  xxx-xx-9504 

Headquarters  and  Headquarters  Company, 

U.S.   Army  Garrison, 

Joint  Base  Myer-Henderson  Hall, 

Fort  Myer,   VA  22211 

 / 

The  Hearing  in  the  above-entitled  matter  was 
held  on  Wednesday,   June  26,   2013,   commencing  at  1:22  p.m., 
at  Fort  Meade,  Maryland,   before  the  Honorable  Colonel 
Denise  Lind,  Judge. 
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DISCLAIMER 

This  transcript  was  made  by  a  court 
reporter  who  is  not  the  official  Government  reporter, 
was  not  permitted  to  be  in  the  actual  courtroom  where 
the  proceedings  took  place,  but  in  a  media  room 
listening  to  and  watching  live  audio/video  feed,  not 
permitted  to  make  an  audio  backup  recording  for 
editing  purposes,   and  not  having  the  ability  to 
control  the  proceedings  in  order  to  produce  an 
accurate  verbatim  transcript . 

This  unedited,   uncertified  draft 
transcript  may  contain  court  reporting  outlines  that 
are  not  translated,   notes  made  by  the  reporter  for 
editing  purposes,  misspelled  terms  and  names,  word 
combinations  that  do  not  make  sense,   and  missing 
testimony  or  colloquy  due  to  being  inaudible  to  the 
reporter . 
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CAPTAIN  JOSEPH  MORROW 
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CAPTAIN  ALEXANDER  van  ELLEN 
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MAJOR  THOMAS  HURLEY 
CAPTAIN  JOSHUA  TOOMAN 
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PROCEEDINGS, 
THE  CLERK:     All  rise. 

THE  COURT:     Please  be  seated.     Call  for 
order .     Let  the  record  reflect  all  parties  are  present 
in  court . 

Major  Fein,   are  you  ready  to  proceed? 

MR.   FEIN:     The  United  States  is  ready.  The 
United  States  offers  to  read  three  stipulations  with 
respect  to  testimony  into  the  record. 

The  first  stipulation,   Your  Honor,   is  the 
expected  testimony  for  Special  Agent  Ronald  Rock  dated 
9  June,   2013,   Prosecution  Exhibit  79. 

(Reading  stipulation) . 

Your  Honor,    stipulation  of  expected 
testimony  from  Mr.   James  Downey  dated  17,   June  2013, 
Prosecution  Exhibit  149. 

(Reading  stipulation) 

Your  Honor,   rather  than  reading  the  table 
that  is  provided,   the  remaining  portion  actually 
describes  the  information  in  the  table .     So  I  will  skip 
that  portion. 
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(Continues  reading  stipulation.) 
THE  COURT :     Can  I  interrupt  you  for  just  a 
second?     The  copy  that  the  Court  has  is  Prosecution 
Exhibit  152. 

Was  there  a  change  made? 

MR.   FEIN :     Yes,   ma'am.     That  is  what  was 
reflected  prior  to  the  lunch  recess.     This  is  page 
3  and  that,   Prosecution  Exhibit  152,   was  changed  with 
concurrence  of  the  defense  to  Prosecution  Exhibit  164. 
So  the  court ' s  copy  is  —  the  court  has  a  newer  copy  of 
the  actual  step  — 

THE  COURT :     We ' re  supposed  to  be  looking  at 

164? 

MR.   FEIN:     Yes,  ma'am. 

THE  COURT:      I'm  looking  at  prosecution 
Exhibit  14  9  which  was  the  old  one. 

MR.   FEIN:     No,   ma'am.  Prosecution 
Exhibit  14  9  is  the  stipulation  of  expected  testimony 
that's  been  admitted.     That  stipulation,  Prosecution 
Exhibit  14  9,   was  amended  prior  to  going  on  the  lunch 
recess.     Right  there  in  that  paragraph  on  top  of  page 
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3,   the  152  is  lined  out  and  changed  to  164. 

THE  COURT:  All  right.  I  see  a  set  of 
initials  next  to  that.  Major  Hurley,  is  that  your 
initials  and  PFC  Manning's? 

MR.   HURLEY:     Yes,  ma'am. 

MR.   FEIN:     So  you  all  agree  with  the 

change? 

MR.   HURLEY:     Yes,  ma'am. 

MR.   FEIN:      152  in  that  paragraph  should  be 
slashed  through  and  it  should  be  changed  to  164. 
THE  COURT:     Got  it. 

MR.   FEIN:      (Continues  reading  stipulation.) 

Your  Honor,   the  United  States  moves  to 
admit  what  has  been  marked  as  Prosecution  Exhibit 
152  and  164  for  identification  as  Prosecution  Exhibit 
152  and  164. 

MR.  TOOMAN:  No  objection,  ma'am. 
THE  COURT:  May  I  see  it,  please? 
(Pause . ) 

You  have  Prosecution  Exhibit  152  for 
identification  and  164  for  identification  are  admitted. 
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MR.   FEIN:     The  United  States  calls  Special 
Agent  David  Shaver.     You  are  still  under  oath. 
THE  WITNESS:     Yes,  sir. 

Whereupon , 

DAVID  SHAVER, 

previously  called  as  a  witness,   having  been  first  duly 
sworn  to  tell  the  truth,   the  whole  truth,   and  nothing 
but  the  truth,  was  examined  further  and  testified  as 
follows : 

EXAMINATION  BY  MR.  MORROW: 

Q  Special  Agent  Shaver,   you  testified  earlier 

that  you  examined  Centaur  logs  as  a  part  of  this  case; 
is  that  correct? 

A  Yes,  sir. 

Q  And  in  your  own  words,   what  is  Centaur? 

A  Centaur  is  —  they  are  logs  filed  that  are 

captured  on  netflow  information. 
Q  What  is  netflow? 

A  Sir,   that's  the  traffic  between  two 

computers .      It  will  capture  things  like  source 
computer,   destination  computer,   dates,   times,   amount  of 
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data  transferred. 

Q  And  how  does  Centaur  actually  capture  that 

information? 

A  There  are  sensors  throughout  the  network, 

the  DOD  network,   that  if  communication  —  you  know, 
goes  in  front  of  it,    it  will  capture  it. 

Q  And  you  examined  Centaur  logs  as  part  of 

other  investigations  at  CCIU? 

A  Yes  sir,    I  have. 

Q  Why? 

A  In  my  previous  role  at  CCIU  we  would  do 

other  log  examinations  concerning  malware .     The  Centaur 
logs  are  really  good  for  seeing  how  one  computer  will 
communicate  with  another  for  how  malware  would 
propagate  on  a  network. 

Q  What  do  you,  mean  by  malware? 

A  Malicious  software . 

Q  And  what  information  was  examined  in  this 

case  by  CCIU  and  specifically  you? 
A  For  Centaur? 

Q  Yes,    for  Centaur. 
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A  We  looked  at  the  log  files  pertaining  to 

the   .22  and  .40  computers  from  November  2009  until 
May  2010. 

Q  And  the  use  of  the  log  files  for  those  two 

IP  addresses,   what  did  they  actually  capture? 

A  They  were  capturing  things  —  again,  dates 

and  times,   the  protocols  used  to  communicate. 

Q  What  was  on  the  other  side?     Maybe  that ' s 

better  question. 

What  does  Centaur  capture? 

A  It  captures  an  IP  address.     It  captures  IP 

addresses,   things  like  that.     IP  addresses,   dates  and 
times . 

Q  When  you  say  that  —  but  it  captures  a 

connection;   is  that  correct? 
A  Yes,  sir. 

Q  And  what  does  it  capture  the  connection  of 

A  Transfer  of  data.     There's  data 

transferred . 

Q  Between  what? 

A  Two  computers ,   computer  and  a  server . 
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Q  So  if  a  computer  is  on  the  other  side,  that 

computer  can  be  a  server  as  well? 
A  Yes,  sir. 

Q  Now,   when  you're  trying  to  determine  what 

computer  is  on  the  other  side  so  you  have  the  source  IP 
which  is   .22  or   .40  and  you're  trying  to  determine  what 
is  on  the  other  side,   so  whatever  computer  the   .22  or 
.40  communicate  with,   how  do  you  figure  that  out? 

A  There ' s  a  few  ways .     I  basically  —  because 

it's  an  IP,   I  can  resolve  the  IP  to  a  more  friendly 
name . 

Q  What  do  you  mean  by  a  friendly  name? 

A  For  example,   CNN.     You  can  remember  CNN. 

That ' s  easy  to  remember .     But  it ' s  actually  an  IP 
address  of  a  computer  and  an  IP  address  may  be 
something  like  123.123.12.     You  won't  remember  that. 
So  it's  called  domain  name  service,   DNS.      It  just 
resolves  a  friendly  name  to  an  IP  and  you  can  reverse 
that  as  well,   figure  out  who  the  IP  belongs  to. 

Q  And  the  domain  name  service,   where  is  that 

tool  located? 
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A  Sir,   that's  part  of  the  —  it's  on  the 

SIPRnet.      It's  just  part  of  the  internal  classified 
network . 

Q  What  was  your  investigative  plan  for  the 

Centaur  logs  you  looked  at? 

A  Looked  for  patterns .     Because  it  shows  data 

transferred.      I  was  kind  of  curious  to  see  which 
computers  were  —   .22  and  .40,  who  were  they 
communicating  to  the  most . 

Q  And  from  the  log  files  came  to  you  for 

analysis,    in  what  form  were  they  in? 

A  They  were  in  text  files,   log  files. 

Q  What  did  you  do  with  the  text  files? 

A  I  put  them  in  Excel  for  easier  review. 

Q  And  when  you  put  them  in  Excel,   did  you 

alter  the  information  in  any  way? 

A  No,  sir. 

Q  Now,   once  you  had  the  information  in  the 

Excel  spreadsheet,  what  did  you  do? 

A  I  then  started  filtering.     The  first  one  I 

filtered  was,   like,   amount  of  data  transferred  and  I 
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just  wanted  to  figure  out,  again,  whose  computers  were 
communicated  to  the  most . 

Q  I'm  showing  you  what's  been  marked  for 

prosecution  Exhibit  160  for  identification.  I'm 
showing  defense  counsel . 

Agent  Shaver,    I'm  handing  you  what's  been 
marked  as  prosecution  Exhibit  160  for  identification. 
Do  you  recognize  that  document? 

A  Yes,    sir.      I  do. 

Q  What  is  it? 

A  This  is  a  document  I  created.      It's  a 

summary  of  a  small  segment,   actually,   of  the  log  file 
for  Centaur  that  —  where  I  have  the  names,  other 
remote  servers  and  the  number  of  connections  and  data 
transferred. 

MR.  MORROW:     Permission  to  publish,  Your 

Honor . 

Q  We'll  go  through  this  up  here  and  follow 

along .     So  I  see  ten  numbers  on  the  left . 

What  are  those  numbers? 
A  Sir,   based  off  the  amount  of  data  transfer, 
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the  column  on  the  right,   that's  where  I  sorted  on  the 
amount  of  data  transferred.     So  these  ten  are  the  top 
ten  remote  computers,   the  22  and  40,   the  Centaur 
captured  them  communicating  with . 

Q  So,   really,   it's  ordered  by  what's  on  the 

very  far  right? 

A  Correct . 

Q  Okay.     And  I  see  a  number  of  connections. 

What  does  that  mean? 

A  That  is  just  that.      It's  a  connection.  The 

Centaur  logs  captured  a  connection  between  the  two 
computers,   the  22  and  40,   and  these  computers. 

Q  Now,   with  respect  to  line  4,    I  see  the 

remote  IP  is  CIDNE  Afghanistan. 

Do  you  recall  the  date  range  of  those 
connections  of  that  data  being  transfer? 

A  Yes,    sir.     That  was  January  2010,  early 

January.      I  think  it  was  January  2  to  January  7th. 

Q  And  what  about  the  Department  of  State? 

A  Yes,    sir.     There  are  a  lot  of  connections. 

This  one  captured  over  106,000  connections  and 
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transferred  9.9  gigs  of  data. 

MR.  MORROW:     Now,   based  on  your  review, 
Your  Honor,   the  government  moves  to  amount  of  data 
prosecution  Exhibit  165  for  identification. 

THE  COURT:     Prosecution  Exhibit  165  for 
identification  is  admitted. 
BY  MR.  MORROW: 

Q  Based  on  your  review  of  the  entirety  of  the 

Centaur  logs,   were  the  —  did  you  notice  any  activity 
that  was  missing  in  the  logs? 

A  Yes,   sir.     There  were  several  dates  that 

there  was  no  activity  at  all . 

Q  And  can  you  explain  what  no  activity  means 

to  you? 

A  Again,   these  computers  are  still  —  they're 

on  a  windows  domain  and,   as  such,   they  need  to 
regularly  check  in.     They  need  to  check  in  with  their 
timeserver,   antivirus  server,   update  server,  things 
like  that .     There  are  several  periods  of  time  where 
there  was  connectivity  —  there  was  no  dates  at  all . 

Q  I  show  you  what ' s  been  marked  as 
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prosecution  161  for  identification. 
THE  COURT:  Yes. 
Q  I'm  showing  the  witness  what  is  marked 

Prosecution  161  for  identification. 

Do  you  recognize  that  document? 
A  Yes,  sir. 

Q  And  what  is  it? 

A  This  is  a  document  I  created  to 

demonstrate  —  to  show  the  dates  present  in  the  Centaur 
logs  and  the  dates  that  are  missing  from  the  Centaur 
logs . 

Q  Now,   when  you  say  a  date  is  present  in  the 

Centaur  logs,   what  do  you  mean  by  that? 

A  That  means  that  on  that  date  there ' s  some 

kind  of  network  activity,  something. 

Q  And  when  you  say  dates  missing,   what  does 

that  mean? 

A  There  was  no  activity  at  all . 

MR.  MORROW:     Permission  to  publish, 

Your  Honor. 

THE  COURT:     Go  ahead. 
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(Bench  conference . ) 
BY  MR  MORROW: 

Q  Agent  Shaver,    I'm  going  to  show  you  page 

1  first  and  I  want  to  talk  about  some  of  the  larger 
gaps  you  observed. 

What  was  the  first  large  gap  you  observed 
in  the  Centaur  logs? 

A  November,   November  20th  through 

November  30th,  actually. 

Q  Okay.     What  was  the  second  large  gap  you 

observed  in  the  log? 

A  There  is  a  large  gap  in  December  as  well, 

December  6th  through  the  —  basically,   it  looks  like 
the  end  of  December. 

Q  Okay .      I'm  going  to  show  you  the  bottom  of 

that  page,   actually.     Again,   was  there  a  large  gap  —  I 
know  you  can't  see  the  very  top  here,   the  "dates 
missing"  column,   but  was  there  a  large  gap  in  April  as 
well? 

A  Yes,  sir. 

Q  What  was  the  large  gap  there? 
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A  On  this  page  it  shows  April  2  through 

April  9th  on  this  page. 

Q  I'm  going  to  show  you  page  2 .     Again ,  it 

looks  like  there  was  sort  of  a  large  gap  in  April  as 
well  towards  the  middle  to  the  end  of  the  month;  is 
that  correct? 

A  Yes,  sir. 

MR.  MORROW:     Your  Honor,   the  prosecution 
moves  to  admit  Exhibit  161  for  identification  into 
evidence . 

MR.   COOMBS:     No  objection,   Your  Honor. 
THE  COURT:     Prosecution  Exhibit  161  for 
identification  is  admitted. 
BY  MR.  MORROW: 

Q  Now,    I  want  to  transition  to  logs  collected 

from  the  Department  of  State. 

Who  examined  the  logs  collected  from  the 
Department  of  State  for  CCIU? 
A  I  did,  sir. 

Q  And  how  many  sets  of  logs  were  collected? 

A  There  were  two . 
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Q  And  what  were  the  logs? 

A  One  was  a  set  of  logs  from  a  firewall  and 

another  one  was  from  a  web  server  hosting  the 
Department  of  State  cables . 

Q  What  is  a  firewall? 

A  Sir,   that's  either  a  physical  device  for  a 

piece  of  software  that  limits  traffic,   allows  some 
traffic  in  while  disallowing  others. 

Q  Why  organizations  use  firewalls  generally? 

A  It's  for  security  measures,   to  make  sure 

certain  computers  are  authorized  to  communicate  from 
certain  ports  such  as  like  a  web  server,   port  80.  So 
it's  only  allowed  port  80  in  instead  of  others. 

Q  And  what  kind  of  information  do  firewall 

logs  capture? 

A  Generally,   times  and  dates,    IP  address, 

connecting  in  where  they're  going,   things  like  that. 

Q  Does  it  capture,   you  know,   like,  data 

transferred,  what  files  were  transferred,  anything  like 
that? 

A  It  could. 
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Q  It  could?     But  what  about  the  firewall  logs 

collected  in  this  case? 

A  It  did  not.      It  just  showed  there's  a 

connection  between  the  remote  computer  —  in  this  case, 
it  was  about   .22  or   .40  and  the  Department  of  State 
server . 

Q  Now,    in  what  form  did  the  firewall  logs 

come  to  you  in  this  case? 

A  They  came  to  me  in  PDF . 

Q  And  what  did  you  do  with  those  PDFs? 

A  I  converted  them  to  text  and  then  I 

imported  them  into  Excel  for  easy  review. 

Q  Once  you  got  them  in  Excel,    I  assume  you 

examined  those  logs  at  that  point;   is  that  correct? 

A  Yes,  sir. 

Q  Did  the  firewall  logs  demonstrate  any 

pattern  that  you  could  see? 

A  There  were  patterns,    sir.     Again,    I  could 

not  tell  you  what  was  transferred,  but  I  can  tell  you 
like  number  of  connections  per  day. 

Q  I'm  showing  you  what  is  marked  as 
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Prosecution  Exhibit.  159  for  identification.  I'm 
handing  the  witness  what ' s  been  marked  as  Prosecution 
Exhibit  159  for  identification. 

Do  you  recognize  that  document? 

A  Yes,  sir. 

Q  What  is  it? 

A  This  is  a  document  I  created.      It  shows  the 

summary  of  the  source  IP,   either   .40  or   .22,   the  date 
and  the  number  of  connections,   the  log  entries. 
Q  Number  of  connections  with  what? 

A  The  department  server. 

Q  The  server  or  the  firewall? 

A  This  is  the  firewall  capturing.     So  it's 

passing  through. 

MR.  MORROW:     Permission  to  publish. 
THE  COURT:     Go  ahead. 
(Bench  conference . ) 
BY  MR.  MORROW: 

Q  Agent  Shaver,    let's  go  through  this. 

What  was  the  large  —  the  pattern  that  you 
observed  in  the  firewall? 
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A  From  the  beginning,    it  was  very  few 

connections  and  then  until  30,   March  2010  the  IP 
.22  downloaded  —  or  excuse  me  —  connected.  I 
apologize,    sir.     There  were  149,000  connections. 

Q  On  30,   March  from  .22? 

A  Correct . 

Q  Again,   going  down  through  April,    sort  of 

the  same  type  of  activity? 

A  There  are  a  large  number  of  connections, 

yes,  sir. 

Q  Now,    I  see  between  the  last  date,   the  9, 

April  2010  and  3,  May  2010  there's  sort  of  a  gap  there 
What  does  that  mean? 

A  No  activity.      I  had  no  action,   no  activity 

for  either  IP  at  those  —  for  that  time  period. 

Q  Now,   based  on  what  we  saw  on  the  Centaur 

logs  for  the  April  timeframe,   you're  not  seeing  any 
Department  of  State  firewall  logs,  what  does  that  tell 
you? 

A  Again,   like,    for  example,    8  April,  that 

date  is  not  present  in  Centaur,   but  it  is  present  here 
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Q  But,   again,   you  observed  at  least  some 

connections  for  some  dates  in  Centaur,   in  the  Centaur 
logs? 

A  Yes,  sir. 

THE  COURT:     Before  you  remove  that,    let  me 
just  ask  you  a  question. 

So  when  you're  looking  at,    for  example,  30, 
March  of  2010,   the  computer  with  the  address,   was  it 
.22  or  .40? 

THE  WITNESS:      .22,  ma'am. 

THE  COURT :     Are  you  saying  that  computer 
went  to  the  Department  of  State  website  that  amount  of 
times? 

THE  WITNESS :     The  firewall  log  shows  there 
are  a  number  of  connections.     The  issue  I  had  was  — 
I'm  not  sure  what  the  connections  mean.      It  just  means 
that  log  file,   that  firewall  captured  that  149,000 
times.     That's  what  it  deemed  as  a  connection. 

Is  that  individual  file  being  downloaded 
each  time?     I  don't  know.     I  say  there's  a  connection 
between  the  two  computers  that  many  times . 
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THE  COURT :     So  let  me  ask  you  one  more 
question.      If  somebody  was  to  have  that  many 
connections  on  one  day,   how  long  would  that  take? 

THE  WITNESS:      Urn. . . 

MR.  MORROW:     Actually,   Your  Honor,    I  can 
ask  a  very  specific  question. 

THE  COURT:     Go  ahead. 
BY  MR.  MORROW: 

Q  On  March  30,   over  the  course  of  that  day, 

how  many  hours  between  the  first  connection  and  the 
last  connection  on  that  day? 

A  There  was  11  hours. 

THE  COURT:     That  doesn't  answer  my 

question . 

Could  a  person  using  a  computer  have  that 

many  — 

THE  WITNESS:  In  an  automated  process,  yes. 
THE  COURT:     Go  ahead. 

MR.  MORROW:     Your  Honor,   the  Prosecution 
moves  to  admit  Prosecution  Exhibit  159  for 
identification  into  evidence . 
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MR.   COOMBS:     No  objection,   Your  Honor. 
THE  COURT :     All  right .     His  prosecution 
Exhibit  159  for  identification  is  admitted. 
BY  MR.  MORROW: 

Q  Agent  Shaver,    let's  talk  about  the 

Department  of  State  server  logs . 

What  kind  of  information  did  the  server 
logs  capture? 

A  Sir,   these  were  standard  Windows  log  files. 

They  captured  dates  and  times,   the  remote  IP  and  the 
file  requested  and  things  like  that. 

Q  So  they  were  a  little  more  descriptive  than 

the  firewall  ones? 

A  Yes,  sir. 

Q  Now,   did  the  server  logs,   were  there  any 

large  gaps  in  data  that  you  that  came  to  you  when  you 
did  the  examination  in  the  server  logs? 

A  The  server  logs  only  were  from  April  30th 

until  June.     So  anything  prior  to  April  30th,  there 
were  no  log  files . 

Q  Do  you  know  why  there  were  no  log  files  for 
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those  dates? 

A  No,    sir,    I  do  not. 

Q  Now,   what,   if  anything,   did  you  observe  in 

the  server  logs? 

A  There  was  a  large  number  of  downloads  on 

3  May  from  .22  using  the  Wget  utility. 

Q  I'm  going  to  ask  you  to  move  to  the  panel 

box,   please  and  I'm  going  to  retrieve  Prosecution 
Exhibit  158  for  identification. 

MR.   FEIN:     Could  I  have  a  moment,  Your 

Honor? 

THE  COURT:  Yes. 

(Off  record  discussion.) 
MR.  MORROW:     Agent  Shaver,   could  you  move 
back  to  the  witness  box. 

(Witness  returned) . 

BY  MR.  MORROW: 

Q  I'm  handing  what's  been  marked  as 

Prosecution  Exhibit  158  for  identification. 

A  Yes,  sir. 

Q  Do  you  recognize  the  document? 
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A  Yes,  sir. 

Q  What  is  it? 

A  This  is  one-page  of  the  log  files  for  the 

Department  of  State  server. 

Q  Now,   when  you  say  one  page,   what's  the 

number  at  the  bottom  of  the  page? 

A  This  is  page  28  out  of  641. 

Q  So  it  printed  the  activity  on  that  day, 

3  May  would  have  been  641  pages? 

A  Correct . 

Q  Approximately  how  many  lines  of  data, 

approximately  ? 

A  17. 

Q  On  that  page?     I'm  talking  total,   if  you 

had  the  641  pages. 

A  Thousands . 

Q  Can  you  describe,    in  general  terms,    sort  of 

what  you ' re  observing  in  those  logs  when  you  look  at 
them? 

A  Yes,    sir.     From  left  to  right  we  have  a 

line  number.     Then  we  have  the  remote  IP  which,    in  this 
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case  was   . 22 .     We  have  the  date  and  time  of  the  file 
being  downloaded.      In  this  case,    it's  May  3rd,   2010  and 
then  we  have  the  files  being  downloaded.     In  this  case 
here,   Department  of  State  MRS. 

Q  And  you  said  something  about  Wget,  there's 

a  Wget  in  the  logs . 

Can  you  explain  that,  please? 

A  Yes,    sir.     Wget  was  the  tool  that  was  used 

to  download  these  files . 

Q  On  this  day,   May  3rd? 

A  Yes,  sir. 

MR.  MORROW:     Your  Honor,   the  prosecution 
moves  to  admit  Prosecution  Exhibit  158. 

PART  3 

MR.  MORROW:       The  prosecution  moves  to 

admit  156. 

MR.   TOOMAN:     No  objection. 

THE  COURT:     Prosecution  Exhibit  156  is 
admitted  for  identification. 
BY  MR.  MORROW: 
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Q  Agent  Shaver,   we'll  talk  about  SIPRNET 

warning  barriers  later.      I  want  to  move  on  to  your 
examination  of  this  computer. 

Now,   when  you  examined  this  computer,  what 
exactly  did  you  exam? 

A  I  examined  an  image  of  the  computer  itself, 

not  the  computer. 

Q  And  what  was  your  process  again  for  your 

examination? 

A  Sure .     The  image  was  checked  out .  I 

verified  (inaudible) ,  made  a  working  copy  and  I  did  my 
examination  on  that . 

Q  And  what  were  you  looking  for  on  this 

computer? 

A  Sir,    since  this  was  a  NIPRNET  computer.  I 

want  to  see  what  was  there  and  what  was  allocated,  the 
files  and  internet  history  and  things  like  that. 

Q  All  right .     So  let 1 s  talk  about  internet 

history.     Where  do  you  find  internet  history  on  a 
computer? 

A  Several  locations,  but  in  this  case  since 
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Internet  Explorer  was  the  only  browser,  it  was  within  a 
file  called  index.DAT. 

Q  And  again,   what  does  index.DAT  capture? 

A  It  captures  both  the  local  files  views  and 

websites,  access. 

Q  What  do  you  mean  by  local  files  viewed? 

A  If  you  had  a  file  on  your  desktop,  you 

access  it,   it  would  capture  that  as  well. 

Q  Now,   you  said  it  captured  websites  as  well; 

is  that  correct? 

A  Correct . 

Q  Did  it  capture  searches?     Searches  on, 

like,   Google,   for  example? 

A  It  would  have,  yes. 

Q  And  what  kind  of  searches  did  the 

Bradley .Manning  user  account  pick  up  that  you  observed? 

A  There  were  several .     Things  like  —  Wget 

was  one.     Bay  64,   Excel  and  Wikileaks  as  well. 

Q  And  how  far  back  — 

THE  COURT:     You  said  Bay  64? 
THE  WITNESS :     Bay  64  and  Excel . 
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Q  Again,    for  the  court,   what  is  Bay  64? 

A  That ' s  an  encoding  mechanism  where  it  takes 

text  and  you  can  encode  it  into  XML  form.      It's  good 
for  —  it's  used  for  compression. 

Q  And  if  you  would,    just  describe  where 

you've  seen  —  in  what  context  have  you  seen  Bay  64  on 
the  SIPRnet  computers,    for  example? 

A  On  the   .22  computer,   there  was  a  common 

(inaudible)  CSU  files,  Department  of  State  cables  which 
had  been  converted  to  Bay  64 . 

Q  What  about  on  the   .40  computer? 

A  There  was  —  on  the   .40  computer,  within 

the  allocated  space,   there  was  one  CSL  file  containing 
over  100,000  complete  Department  of  State  cables 
because  they  had  been  Bay  64  encoded. 

Q  Now,    let's  go  to  the  internet  activity. 

How  far  back  were  you  able  to  see  activity 
under  the  Bradley . Manning  user  account? 

A  It  was  started  in  March  2010. 

Q  I'm  showing  you  what  has  been  marked  as 

prosecution  Exhibit  157  for  identification. 
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THE  COURT:     Prosecution  exhibit? 
MR.  MORROW:      157.      I'm  handing  the  witness 
what ' s  been  marked  at  Prosecution  157  for 
identification . 
BY  MR.  MORROW: 

Q  Agent  Shaver,   do  you  recognize  that 

document? 

A  Yes. 

Q  What  is  this  document? 

A  Sir,   this  is  a  document  I  created.      It  is 

the  small  segment  of  the  internet  history  from  the 
index.DAT  file  of  the  Bradley . Manning  user  profile. 

Q  Now,    let  me  stop  you  there. 

How  is  it  created?     So  it 1 s  not  the 
entirety  of  the  index.DAT? 

A  No,    sir.      It's  a  very  small  segment. 

Q  How  did  you  treat  that  small  segment? 

A  I  converted  the  index.DAT  to  an  Excel 

document . 

Q  And  then  what  did  you  do? 

A  I  filtered  on  the  keyword  Wget . 
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MR.  MORROW:     Your  Honor,   permission  to 

publish? 

THE  COURT:     Go  ahead. 
BY  MR.  MORROW: 

Q  Agent  Shaver,    I  don't  want  to  go  through 

the  whole  thing,   but  I  want  to  go  through  a  couple  of 
lines  of  information  here . 

Can  you  see  that? 
A  Yes,  sir. 

Q  Let ' s  talk  about  the  first  line . 

Can  you  describe  the  activity  you ' re 
observing  now? 

A  Yes,    sir.     Again,   the  line  number  1,  the 

date  and  time.     It  shows  the  Bradley . Manning  user 
profile,   searched  Google  for  the  keywords  Wget  and 
"ampersand. " 

Q  And  how  does  an  ampersand  work  with  Wget? 

A  It's  — 

Q  What ' s  —  why  would  those  two  be  connected 

A  Then  you  get  a  command  line  tool .     There  i 

a  lot  of  switches  and  a  lot  of  choices  —  you  can  tell 
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it  to  do  a  lot  of  things.     The  ampersand  sign  in  this 
case,    it  would  help  it  run  a  little  quicker  to  download 
the  files. 

Q  Now,    let ' s  move  down  to  —  now,    line  one  is 

just  a  search  of  the  Internet,  Wget  and  ampersand? 
A  Correct . 

Q  Let ' s  look  at  line  9 . 

A  Yes,  sir. 

Q  What  is  that  activity? 

A  That's  on  27,   March  2010  and  that's  the 

file  Wget.exe  being  downloaded  from  the  website. 

Q  And  now  let's  move  to  line  15. 

A  Yes,    sir.     On  May  3rd,   2010,   again,  the 

Bradley .Manning  user  profiles,    someone  is  downloading 
Wget . exe  again . 

Q  Again,   let's  —  so  I  can  circle  back  here. 

The  first  line  at  least  in  this  is  3  March  or  7, 
March  2010? 

A  Correct . 

Q  Again,   what  was  the  —  how  much  internet 

activity  were  you  actually  able  to  observe  on  the 
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index.DAT  file  on  this  computer?     Anything  before  7, 
March  2010? 

A  No,  sir. 

MR.  MORROW:     Your  Honor,   the  prosecution 
moves  to  admit  Exhibit  157  for  identification  purposes. 

MR.   TOOMAN:     No  objection,   Your  Honor. 
THE  COURT:     Prosecution  Exhibit  157  for 
identification  is  admitted. 
BY  MR.  MORROW: 

Q  Now,   you  say  the  user,   the  Bradley .Manning 

user  downloaded  Wget  on  three   (inaudible) ;   is  that 
correct? 

A  Correct . 

Q  At  least  from  what  you  observed  in  the 

Internet  Explorer? 

A  Yes,  sir. 

Q  Now,   did  you  observe  Wget  being  used  from 

this  computer? 

A  No,  sir. 

Q  In  the  course  of  this  investigation,  have 

you  seen  evidence  that  Wget  was  present  on  other 
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computers  ? 

A  Yes,  sir. 

Q  And  what  other  computers? 

A  On   .22,  sir. 

Q  Now,   did  you  see  any  evidence  that  the  Wget 

filed  downloaded  on  this  NIPRNET  computer  was  moved  to 
the   . 22  computer? 

A  Yes,  sir. 

Q  Can  you  explain  that,  please? 

A  Yes,    sir.     Again,    I  did  the  hash  value  of 

the  file  being  on  the  Wget  file  on  the   . 139  computer 
matched  exactly  the  same  file  within  the 
Bradley .Manning  user  profile  on  .22. 

Q  And  can  you  tell  on   . 22  when  that  movement 

occurred,   when  that  file  was  created  on  that  computer, 
SIPRNET  computer? 

A  It  was  shortly  —  it  was  a  few  hours 

afterwards  created  on   .139.     So  I  believe   .139  was 
almost  2,100  hours  and  just  a  few  hours  later  it  was  on 
.22. 

Q  Agent  Shaver,    I  want  to  go  back  to  the 
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. 22  computer  and  tie  up  a  few  lose  ends .  I  mentioned 
warning  banners  earlier. 

Now,   were  the  SIPRnet  computers 

(inaudible) ? 

A  No,  sir. 

Q  And  how  did  a  user  log  on  the  SIPRnet? 

A  User  name  and  password. 

Q  And  how  do  you  know  that? 

A  I  converted  the  computer  into  a  virtual 

machine  and  booted  it  up  and  it  asked  me  for  a  user 
name  and  password. 

Q  I  show  you  what  has  been  marked  as 

prosecution  155  for  identification.  I  am  handing  the 
witness  what ' s  been  marked  as  Prosecution  Exhibit  155 
for  identification. 

Do  you  recognize  that  document? 

A  Yes,  sir. 

Q  And  what  is  it? 

A  This  is  a  document  I  created  and  within 

. 22  I  went  to  the  register  file  and  removed  the  — 
copied  out  the  warning  banner  and  placed  it  on  this 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/26/13  Afternoon  Session 


document . 

Q  So  when  you  copied  out  the  warning  banner 

from  the  registry  file  on  the   .22  computer  and  you 
copied  it  over  to  a  Word  document,   did  you  alter  the 
information  in  any  way? 
A  No,  sir. 

MR.  MORROW:     The  prosecution  moves  to  admit 
Prosecution  Exhibit  155  for  identification. 

MR.   TOOMAN:     No  objection,   Your  Honor. 
MS.   OVERGARD:     Prosecution  Exhibit  155  for 
identification  is  admitted. 
BY  MR.  MORROW: 

Q  Agent  Shaver,    I  want  to  talk  again  about  — 

there ' s  been  some  confusion  in  this  case  about  the 
settings  for  internet  browsers.     Again,    I  want  to  talk 
specifically  about  the  Mozilla  Firefox  web  browser. 
What  is  that? 
A  It ' s  a  web  browser,  sir. 

Q  And  how  does  a  user  use  the  web  browser? 

How  is  it  utilized  by  someone,  sir?  This  isn't  a  trick 
question . 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/26/13  Afternoon  Session 


A  Yes,    sir.     You  double-click  on  the  icon,  it 

opens  up  and  it  goes  to  your  homepage  and  then  you 
would  surf  the  web. 

Q  And  do  web  browsers  store  information  when 

you  click  open  and  search  the  web? 

A  By  default.      In  this  case,   Firefox,  by 

default,   it  does  save  that  information. 

Q  So  by  default,   Firefox  saves  Internet 

Explorer  web  browsing  history? 

A  Correct . 

Q  When  you  examined  the   .22  computer,  you 

looked  at  the  Firefox  web  browser,  correct? 
A  Correct . 

Q  How  is  that  web  browser  configured? 

A  Within  the  Bradley . Manning  user  profile, 

that  profile  is  configured  to  —  to  turn  private 
browser  mode  on  so  it  would  not  obtain  any  history. 
But  other  users  on  the   .22  computer  also  had  Firefox, 
but  those  computers,   those  profiles,   were  not 
configured  that  way.     They  were  configured  the  default 
way  or  history  would  be  maintained. 
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Q  Now,    in  order  to  —  so  essentially  what  I'm 

hearing  is  private  browsing  has  to  be  enabled  by  a 
user,    it's  not  something  that  is  the  normal  protocol 
for  the  web  browser? 

A  Correct . 

Q  One  moment,   Your  Honor. 

Are  you  familiar  with  a  video  called 
Collateral  Murder? 

A  Yes,  sir. 

Q  And  where  have  you  seen  that  video  in  this 

case? 

A  Within  the  Bradley . Manning  user  profile, 

that  video  was  present . 

Q  Can  you  explain  that,  please?     You  said 

within  the  Bradley . Manning  user  profile.  Just  a  little 
more  specificity. . . 

A  Within  the  profile,   there's  a  folder  called 

videos . 

THE  COURT :      In  which  computer? 
THE  WITNESS:      I'm  sorry.     Thank  you,  ma'am. 
On   .22  within  the  Bradley . Manning  use  profile,  my 
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documents,  videos,   there  was,    I  think,   another  folder 
called  Sane  and  that's  where  that  video  was  present, 
was  allocated  there. 

Q  I'm  showing  you  what's  been  marked  as 

prosecution  Exhibit  165  for  identification.  I'm 
showing  you  what  is  marked  as  Prosecution 
Exhibit  165  for  identification. 

Do  you  recognize  that  document? 

A  Yes,  sir. 

Q  What  is  it? 

A  This  is  a  screen  shot  of  the  Manning  case 

program,   but  it ' s  showing  the  videos ,   several  videos . 
Q  There  is  no  publisher  on  there? 

A  (No  response . ) 

Q  Now,   when  I  ask  you  whether  you  had  seen 

the  Collateral  Murder  video,   what  video  are  you 
referring  to? 

A  The  bottom  one,   OSC_YouTube-CM . wmv . 

Q  And  approximately  how  long  is  that  video? 

A  It's  about  17  minutes. 

Q  Can  you  describe  —  you  watched  the  video, 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/26/13  Afternoon  Session 


I  assume? 

A  Yes,  sir. 

Q  Can  you  describe,   generally,   what  it 

depicts? 

A  Yes,    sir.      It  starts  with  an  Orwellian 

quote  and  then  it  shows,   basically,   a  battle  scene  in 
Iraq  and  with  a  commending  sub-text  pointing  things  out 
with  arrows,   things  like  that. 

Q  And  when  was  that  file  created  on  the 

computer?     When  did  that  file  appear  on  the  computer? 

A  12,   April  2010. 

Q  And  what  does  that  mean? 

A  That  file  was  copied  there  on  that  time  and 

date . 

Q  And  let ' s  look  at  the  middle  line  of  this 

screen  shot.  Have  you  watched  that  video  before,  the 
12,   July   '07  CD,   Danger  Zone? 

A  I  have . 

Q  And  did  you  compare  that  file  to  the 

OSC_YouTube-cm? 

A  I  did. 
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Q  And  what  was  — 

A  The  12,   July   '07  CZ  movie,   that  appears  to 

be  the  source .     It ' s  a  much  longer  video  and  it  appears 
to  be  from  military  aircraft .     The  source  of  the  movie 
for  the  OSC  YouTube  movie . 

MR.  MORROW:     Prosecution  moves  to  admit 
prosecution  Exhibit  165. 

MR.   TOOMAN:     No  objection,  ma'am. 

THE  COURT:     Prosecution  Exhibit  165  for 
identification  and  admitted. 
BY  MR.  MORROW: 

Q  And  I  show  you  what ' s  been  marked  as 

Prosecution  Exhibit  168  for  identification.  I'm 
handing  you  what ' s  been  marked  as  Prosecution  Exhibit 
168  for  identification. 

Now,   what  is  that? 
A  It's  a  CD. 

Q  Have  you  looked  at  that  CD? 

A  Yes,    sir,    I  have. 

Q  What  is  on  the  CD? 

A  It ' s  a  movie  OSC_YouTube-CM . wmv . 
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MR.  MORROW:     Your  Honor,   the  prosecution 


would  submit  Prosecution  Exhibit  168  for 
identification . 

MR.   TOOMAN:     No  objection,   Your  Honor. 

THE  COURT:     Can  I  see  it,  please? 
Prosecution  Exhibit  168  for  identification  is  admitted. 

MR.  MORROW:     For  the  remainder  of  Agent 
Shaver's  testimony,   the  government  is  going  to  ask  for 
a  closed  session.     I  don't  know  whether  defense  wants 
to  cross  at  this  point . 


THE  COURT: 


You  want  to  cross  examine  the 


agent  ? 


MR.   TOOMAN:     Yes,  ma'am. 


EXAMINATION  BY  MR.  TOOMAN: 


Q 


Good  afternoon. 


A 


Good  afternoon,  sir. 


Q 


Agent  Shaver,   you  spoke  first  about  Centaur 


logs? 


A 


Yes,  sir. 


Q 


So  let's  focus  on  that.     Now,   you  talked 


about  a  number  of  gaps  in  those  logs,  correct? 
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A  Yes,  sir. 

Q  So  when  there  is  a  gap  in  the  logs,  you 

don't  see  any  activity? 
A  Correct . 

Q  Now,   is  it  possible  that  when  there's  a  gap 

in  the  log  that  could  be  because  the  SIPRnet  was  down? 
A  The  entire  SIPRnet? 

Q  Or  a  particular  user's  access  to  SIPRnet? 

A  Sure . 

Q  Okay.     And  if  that  were  the  case,   the  user 

wouldn't  have  the  ability  to  transfer  any  data? 
A  Correct . 

Q  And  if  a  user  didn't  have  SIPRnet  access, 

again,   central  logs  wouldn't  catch  anything,  correct? 
A  No. 

Q  And  they  wouldn't  be  able  to  do  anything 

with  their  SIPRnet  machine? 
A  Yes,  sir. 

Q  Now,   with  respect  to  the  Centaur  logs, 

there  was  no  activity  in  November  of  2009  that  was 
large  enough  to  have  transferred  a  video,  correct? 
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A  Correct . 

Q  The  same  is  true  in  December  of  2009? 

A  Correct . 

Q  Now,    let ' s  transition  to  the  Department  of 

State  firewall  that  you  spoke  of? 
A  Yes,  sir. 

Q  Now,   a  firewall  would  stop  an  individual 

who  doesn't  have  access,  correct? 
A  Correct . 

Q  So  if  a  user  has  access  to  the  Department 

of  State  server,   the  firewall  is  going  to  let  him 
through? 

A  Correct . 

Q  And  if  they  don't  have  access,   the  firewall 

is  going  to  stop  them? 
A  Correct . 

Q  Now,   those  firewall  logs  were  pretty  bare 

bones,  weren't  they? 

A  Yes,  sir. 

Q  All  they  really  captured  were  a  date  and  a 

time? 
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A  And  a  network  connection,   yes,  sir. 

Q  So  you  get  a  date  and  a  time? 

A  Yes. 

Q  You  get  a  number  of  connections  and  you  get 

the  source  IP? 

A  Correct . 

Q  And  the  destination  IP? 

A  Correct . 

Q  And  the  Department  of  State  left  a  lot  on 

the  table  as  far  as  the  other  data  they  could  have 
captured,  correct? 

A  Left  a  lot? 

Q  The  firewall  log  could  have  captured  more 

data? 

A  I'm  not  sure  about  that  firewall,   but  other 

firewalls  could  have. 

Q  Okay.     What  other  types  of  information  can 

firewall  logs  catch? 

A  They  capture  lots  of  things,    like  files 

transfer,  meta-data  transferred,   things  like  that. 

Q  And  the  Department  of  State  firewalls  logs 
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weren't  set  up  to  do  that? 
A  No,  sir. 

Q  Now,   you  spoke  about  the  number  of 

connections  between  the   .22  and   .40  machine  and  the 
Department  of  State  servers  and  you  talked  about  one 
where  there  was  —  one  day  where  there  were  a  lot  of 
connections,    159,000  connections? 

A  Yes,  sir. 

Q  Now,    is  it  possible  that  some  of  those 

connections  were  failed  connections,   there  was  an 
attempt  and  then,   ultimately,   nothing  happened? 

A  It  is  possible. 

Q  Now,   if  one  were  to  automate  that  process 

of  connecting  to  a  server,  how  long  would  those  149,000 
connections  take? 

A  Not  very  long.      It  depends  on  the 

automation  method. 

Q  Okay.     Would  it  also  depend  on  whether  or 

not  data  was  being  transferred? 

A  Yes,   and,   of  course,   you  have  to  worry 

about  your  network  speed,   where  you  are  in  the  world, 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/26/13  Afternoon  Session 


are  there  other  issues. 

Q  So  it ' s  possible  that  149,000  connections, 

while  a  big  number,   could  have  happen  very  quickly? 

A  Yes. 

Q  And  it ' s  also  possible  that  while  those 

connections  are  happening,   the  user,   the  source  IP  — 
use  of  the  source  IP  is  doing  other  things? 

A  Correct . 

Q  Let's  switch  to  the  NIPR  computer,  the 

139  computer. 

A  Yes,  sir. 

Q  Now,   you  mentioned  that  there  was  no 

activity  before  March  on  that  computer;    is  that  right? 
A  For  that  profile,  yes. 

Q  Okay,    for  that  profile.     Do  you  know  why 

that  was? 

A  No,  sir. 

Q  Do  you  know  if  that  particular  machine  had 

been  reimaged  at  all? 

A  I  do  not  recall . 

Q  Do  you  know  if  that  particular  machine  had 
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been  wiped? 

A  No,    sir,   not  to  my  knowledge. 

Q  Do  you  know  if  that  particular  machine  had 

the  operating  system  reinstalled? 

A  No,    sir.      I'm  sorry,    I  do  not. 

Q  Now,    in  your  review  of  that  machine,  the 

NIPR  machine,   did  you  find  any  evidence  of  the 
Wikileaks  most  wanted  list  on  that  computer? 

A  No,    sir,    I  did  not. 

Q  And  on  that  NIRP  machine,   where  was  that 

physically  located? 

A  I  was  told  it  was  in  the  SCIF  in  the  common 

area . 

Q  So  out  in  the  open? 

A  Yes,  sir. 

Q  Where  people  would  be  walking  by? 

A  Presumably  so,   yes,  sir. 

Q  Now,   you  spoke  about  web  browsers  and 

browsing  history? 

A  Yes,  sir. 

Q  Are  you  aware  of  any  restrictions  on 
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setting  your  computer  up  to  do  private  browsing? 

A  On  the  Army  computers  for  Internet 

Explorer,   that  was  not  a  option.     But  I  don't  know  of 
any  prohibitions  from  it  for  other  browsers . 

Q  One  moment  please,   Your  Honor. 

(Pause . ) 

That ' s  all .     Thank  you . 

THE  COURT:  Redirect? 

MR.  MORROW:     No,   Your  Honor. 

THE  COURT:     Agent  Shaver,    I  have  a  couple 
of  questions .      I  just  want  to  make  sure  I  understood 
your  answer  to  the  last  question. 

Are  you  saying  that  on  the  NIPR  computer  a 
user  couldn ' t  do  private  browsing? 

THE  WITNESS:     Correct,   ma'am.     The  NIPRNET 
computer   .139  only  had  the  Internet  Explorer  browser 
and  that  feature  for  private  browsing  was  not  available 
for  a  user. 

THE  COURT:     Oh,    so  when  you're  talking 
about  private  browsing,   you're  talking  about  the 
Internet  history,   not  browsing  for  personal  reasons? 
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THE  WITNESS:  Correct. 

THE  COURT:      I  misunderstood  you.     Give  me  a 

second. 

THE  WITNESS:     Yes,  ma'am. 

THE  COURT:     I  believe  you  testified  earlier 
that  you  saw  the  Wget  downloaded  from  the   .139  computer 
and  then  several  hours  later  saw  it  on  the 
. 22  computer? 

THE  WITNESS:  Correct. 

THE  COURT:     What  are  possible  ways  that  a 
user  could  transfer  a  Wget  program  from  the  139 
computer  to  the   . 22  computer? 

THE  WITNESS:     Most  logical  is  burn  a  CD. 

THE  COURT:     Do  SIPRnet  computers  like  .22, 
just  regular  CDs  that  go  on  NIPRNET  computers,  they 
take  the  same  kinds  of  CDs? 

THE  WITNESS:     Yes,  ma'am. 

THE  COURT:  We  spoke  earlier  that  149,000 
connections  could  happen  quickly . 

Now,  is  that  for  any  user  or  a  user  using 
some  special  automated  program? 
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THE  WITNESS :      It  would  appear  just  a 
volume.     It  was  some  kind  of  automated  tool,  something 
that  made  a  repetitive  task  fast . 

THE  COURT:      If  a  user  did  not  have  an 
automated  tool,   could  a  user  make  149,000  connections 
in  one  day? 

THE  WITNESS:     Maybe  if  they're  really 
dedicated,  ma'am.     They  would  be  clicking  a  lot. 

THE  COURT :     On  the  Centaur  logs  where  there 
was  no  activity  —  was  there  no  activity  —  did  you 
look  and  see  if  there  were  activities  to  the  computer 
on  the  day  on  the  night shift? 

THE  WITNESS :     There  was  no  activity  at  all . 

THE  COURT:     No  activity  at  all? 

THE  WITNESS :     Correct . 

THE  COURT :     Did  you  look  at  whether  there 
was  activity  on  the  day  versus  the  nightshift? 

THE  WITNESS:      It  would  just  show  up  as 
activity  as  in  a  day.     So  if  there  was  activity,  you 
would  have  to  look  at  the  times  to  determine,  but  we 
just  said  show  everything  you  have  for  —  everything 
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you  had  for  the  entire  time  period.  And  this  is  what 
they  gave  us.  So  if  it  was  there,  it  would  be  there. 
It  was  both  day  or  nightshift . 

THE  COURT :     And  I  believe  you  answered  in 
response  to  a  defense  question  of  one  thing  that  could 
cause  a  gap  in  the  Centaur  logs  would  be  that  the 
user's  SIPR  was  down. 

THE  WITNESS:      If  there's  a  network  issue, 

yes,  ma'am. 

THE  COURT :     What  other  possible  causes 
could  there  be? 

THE  WITNESS:     The  centaur  failed.  Again, 
big  network  issues. 

THE  COURT:      In  the  139  NIRP,   you  testified 
there  was  no  activity  before  March  of  2010  for  the 
Bradley .Manning  user  profile? 

THE  WITNESS:  Correct. 

THE  COURT :     Did  you  see  if  there  was 
activity  before  March  for  any  of  the  other  user 
profiles? 

THE  WITNESS:      I  don't  recall,  ma'am. 
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THE  COURT :     Any  f ollowup  based  on  my . . . 

MR.  MORROW:     One  more  question,   Your  Honor. 

EXAMINATION  BY  MR.  MORROW: 
Q  Agent  Shaver,   you  talked  to  me  about  a 

number  of  reasons  for  gaps  in  the  Centaur  data.  But 
based  on  your  analysis  of  all  the  information  you've 
seen  in  the  case,   all  the  logging  Department  of  State 
logs  and  totaling  the  logs,   et  cetera,  what  is  the  most 
likely  reason  for  the  gap  in  Centaur  data? 

THE  WITNESS:     The  Centaur  failed. 

MR.  MORROW:     Thank  you. 

EXAMINATION  BY  MR.  TOOMAN: 
Q  Now,   Agent  Shaver,   you  talked  about  — 

we ' ve  talked  about  private  browser  and  Internet 
Explorer . 

Now,   on  the  NIRP  machine,   the  only  web 
browser  on  that  was  Internet  Explorer,  correct? 
A  Yes. 

Q  On  other  machines,   the   .22  machine  or  the 

.40  machine  there's  Firefox? 
A  Correct . 
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Q  And  in  Firefox  one  of  the  options  is 

private  browsing? 

A  Correct . 

Q  That 1 s  not  an  option  with  Internet 

Explorer? 

A  Not  in  that  version,  correct. 

Q  But  when  it  is  an  option,   there's  nothing 

that  would  prevent  a  user  from  employing  private 
browsing,  correct? 

A  I  don't  know  how  the  Army  does  it  now,  but 

at  that  time  that  feature  was  not  available.  So  it  was 
an  older  browser .      I  don ' t  know . . . 

THE  COURT :     Are  you  speaking  of  Internet 
Explorer  or  Firefox? 

THE  WITNESS:     Yes,   ma'am.  Internet 
Explorer,    it  was  an  older  browser  version  and  I  don't 
believe  that  was  a  present  as  an  option. 
BY  MR.  MORROW: 

Q  Let  me  clarify.     The  Firefox  on  those 

computers,   private  browsing  was  an  option  within 
Firefox . 
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A  Yes. 

Q  And  there  was  nothing  that  would  have 

prevented  a  user  from  employing  private  browsing  on 
Firef ox? 

A  That 1 s  correct . 

Q  Now,   you  talked  about  Wget  and  how  it  would 

have  gotten  on  the   .22  machine.     When  it  was  put  on  the 
22  machine,   it  was  put  on  there  as  an  executable  file, 
correct? 

A  Correct . 

Q  So  that  means  it  wouldn ' t  have  gone  into 

the  program  list? 

A  It  could  have . 

Q  How  would  an  user  get  into  the  program? 

A  Administrative  privileges  to  put  it  there . 

Q  So  if  it  wasn't  in  the  program  list,  well, 

you  would  needed  administrative  privileges  to  do  that? 
A  To  put  it  there,  yes. 

Q  So  if  you  wouldn't  have  —  if  a  person 

didn't  have  administrative  rights,   they  would  pretty 
much  have  to  put  it  on  their  desktop? 
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A  Correct . 

Q  Are  they  could  run  it  from  the  disk? 

A  Correct . 

Q  And  you  don ' t  know  whether  or  not  that 

process  was  authorized  within  the  S2  section  of  210-9? 
A  I'm  sorry? 

Q  The  process  of  placing  an  executable  file 

on  the  desktop? 

A  No,    sir.      I  have  no  knowledge  of  that. 

Q  Now,   you  testified  that  in  all  likelihood 

the  gaps  in  the  Centaur  logs  would  have  been  caused  by 
Centaur  itself  just  being  down? 

A  Correct . 

Q  So  that  wouldn ' t  have  anything  to  with  any 

action  by  PFC  Manning? 
A  Correct . 

MR.  MORROW:     Thank  you. 

THE  COURT :     Let  me  ask  one  f ollowup  based 
on  that  to  make  sure  I  understand  your  testimony . 

So  the  Wget,   to  be  on  the  SIPR  computer, 
when  does  it  require  administrative  privileges? 
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THE  WITNESS:     To  run  it,   you  don't  need 
that.     You  don't  have  to  have  administrative  privileges 
to  run  it .     But  if  you  were  going  to  put  it  in  the 
common  area,   the  program  files  where  all  the  other 
programs  such  as  Office  reside,   you  need  a  privilege  to 
put  a  file  there. 

THE  COURT :     So  a  user  could  run  Wget  on  his 
computer  by  CD  or  desktop? 

THE  WITNESS:  Correct. 

THE  COURT:     Any  followup  based  on  that? 
MR.  MORROW:     No,   Your  Honor. 
MR.   TOOMAN:     No,  ma'am. 

THE  COURT :     All  right .     Are  we  ready  to 
move  into  closed  session? 

MR.   FEIN:     Yes,   ma'am.     The  United  States 
requests  the  court  for  a  closed  session  pursuant  to  the 
court ' s  previous  order  what  has  been  marked  as 
Exhibit  550 .     The  court  is  ordered  to  close  certain 
proceedings  dated  21  May,   2013  to  elicit  very  specific 
testimony  from  Special  Agent  Shaver  in  reference  to 
specification  3  of  charge  2  and  only  specification  3  of 
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charge  2 . 

THE  COURT :     Approximately  how  long  does  the 
government  anticipate  this  session  will  last? 

MR.   FEIN:     Your  Honor,   the  government's 
case  and  its  business  case  and  any  questions  from  the 
court,   no  more  than  max  30  minutes.     Likely,    less  time. 

THE  COURT:     All  right.     Will  you  need  a 
recess  to  put  any  measures  in  place? 

MR.   FEIN:     Yes,   ma'am.     The  United  States 
requests  a  20  minute  recess  in  order  to  institute  the 
correct  measures,   swap  out  the  court  reporter 
equipment . 

THE  COURT:     All  right.      Is  there  anything 
that  we  need  to  address  before  we  have  the  recess? 
MR.   FEIN:     No,  ma'am. 
MR .   TOOMAN :     No ,   ma ' am . 

THE  COURT:     All  right.     Members  of  the 
gallery  and  the  public,   the  court  is  going  to  close 
this  portion  of  the  trial  pursuant  to  the  court ' s 
earlier  findings  under  rule  court-martial  806. 

We  are  also  going  to  have  a  brief  reopening 
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of  the  public  portion  of  the  trial  after  the  closed 
session.     Based  on  what  Major  Fein  has  proffered  to  me, 
I'm  thinking  that's  going  to  take  place  roughly  around 
4 : 00  or  16 : 00 . 

Does  that  sound  about  right? 

MR.   FEIN:     Yes,  ma'am. 

MR.   TOOMAN:     Yes,  ma'am. 

THE  COURT :     All  right .     We  may  need  to  be  a 
little  bit  flexible.     I  can't  say  with  actual  precision 
when  it's  going  to  occur,   but  that's  going  to  be  the 
target  range.     So  court  is  in  recession  for  20  minutes. 

(There  was  a  recess  taken  at  2:49  and  the 
trial  reconvened  at  4:04  p.m.) 
BY  MR.  MORROW: 

Q  Did  you  examine  those  log  files  in  this 

case? 

A  Yes,    sir,    I  did. 

Q  And  what  exactly  was  collected  by  CCIU? 

A  There  was  two  sets  of  logs  collected. 

First  would  be  Open  Source  Center  or  OSC  and  then  the 
second  one  a  set  of  logs  called  Wire  Logs . 
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Q  And  what  is  the  Open  Source  Center? 

A  Sir,   that  is  a  website.      It  has  Open  Source 

stuff.     So  web  documents,   transcripts,  television 
shows ,   things  like  that . 

Q  And  do  you  know  whether  PFC  Manning 

appeared  to  have  an  Open  Source  Center  account? 

A  Yes .     There  were  two  actual  accounts . 

Q  And  what  was  the  user  name  of  the  accounts? 

A  E.  Manning  was  the  first  one  and  the  second 

one  was  Brad  assay  87 . 

Q  Now,   what  kind  of  information  was  captured 

in  the  logs  for  the  Open  Source  Center? 

A  The  user  name,   the  date  and  time,  files 

searched  for  and  files  viewed. 

Q  Can  you  just  describe,   generally,  the 

activity  you  observed  for  the  Brad  assay  87  user 
account? 

A  The  first  day  of  log  files  for  that  account 

were  February  20th,  2010.  There  was  no  more  searches 
and  files  viewed.  There  were  searches  for  Wikileaks, 
Iceland  and  other  things  as  well . 
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Q  And  do  you  recall  how  many  total  searches 

for  Wikileaks  that  you  observed  in  the  log  files  you 
examined? 

A  Sir,   there  were  over  20. 

Q  And  what  about  total  searches? 

Approximately  how  many  totals  searches  for  Iceland? 

A  Approximately  25,  sir. 

Q  Can  you  recall  the  first  search  for 

Wikileaks  in  the  Open  Source  Center  logs? 

A  Yes,    sir.      It  was  on  the  first  day,  so 

February  20,  2010. 

Q  And  what  about  the  first  search  for 

Iceland? 

A  Same  thing,  sir. 

MR.  MORROW:     Thank  you. 
EXAMINATION  BY  MR.  TOOMAN: 

Q  The  first  search  in  the  Open  Source  Center 

by  PFC  Manning's  user  account  was  on  the  20th  of 
February,  correct? 

A  Yes,  sir. 

Q  Nothing  before  January? 
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A  Correct . 

Q  Nothing  in  December? 

And  PFC  Manning's  user  account  also 
searched  for  things  related  to  Iraq,  correct? 
A  Yes,  sir. 

Q  And  he  did  that  quite  a  bit? 

A  Yes,    sir,   he  did. 

MR.   TOOMAN:     Thank  you. 

THE  COURT:  Redirect? 

MR.  MORROW:     No,   Your  Honor. 

THE  COURT:     Special  Agent  Shaver,  someone 
from  a  user  account  like  in  this  case  goes  and  searches 
for,    say,   Wikileaks  and  then  pulls  up  something  in  the 
search,   are  these  logs  able  to  track  that? 

THE  WITNESS:     Yes,   ma'am.      It  will  actual 
say  the  words  "file  viewed." 

THE  COURT:      If  they  go  into  the  file 

further? 

THE  WITNESS:      If  they  open  the  file,  yes. 
THE  COURT:      Is  the  —  are  the  logs  able  to 

track  that? 
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THE  WITNESS:  Yes. 

THE  COURT :     When  PFC  Manning  searched  for 
Wikileaks,   what  did  he  find? 

THE  WITNESS :     Documents  pertaining  to  the 
Wikileaks  site.     I  don't  recall  what  files  he  viewed. 
I  just  looked  for  searches .     But  it ' s  Open  Source 
Center  stuff.     So  it  would  have  been  stuff  readily 
available  on  the  web. 

THE  COURT :     So  let  me  just  make  sure  I 
understand  your  testimony .     The  logs  track  what  the 
user  views.     So  if  the  user  opens  something  with  a 
search  term  and  viewed  it,   the  log  would  tell  you  what 
it  was  that  they  reviewed? 

THE  WITNESS:     Yes,  ma'am. 

THE  COURT:     And  in  this  particular  case, 
you  just  don't  remember  what  the  logs  say? 

THE  WITNESS:     Pertaining  to? 

THE  COURT :     To  the  search  for  Wikileaks . 

THE  WITNESS:  Correct. 

THE  COURT:     Okay.     Any  followup  based  on 

that? 
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MR.  MORROW:     No,   Your  Honor. 

MR .   COOMBS :     No ,  ma'am. 

THE  COURT :     Temporary  or  permanently 

excused? 

MR.  MORROW:     Temporary,   Your  Honor. 

THE  COURT :     Did  the  government  want  to 
state  in  the  open  court  what  exhibits  were  admitted? 

MR.  MORROW:     Absolutely,   Your  Honor. 
Prosecution  Exhibits  154,    166  and  167  were  admitted. 

THE  COURT :     All  right .  Temporarily 
excused.     Once  again,   you  are  temporarily  excused. 
Please  don't  discuss  your  testimony  or  knowledge  of  the 
case  with  anyone  other  than  counsel  of  the  accused 
while  the  trial  is  still  going  on. 

Other  than  by  number,   is  there  any  way  to 
label  those  exhibits  in  open  court? 

MR.  MORROW:     One  moment,   Your  Honor. 

Your  Honor,   the  Plaintiffs  will  identify 
those  exhibits  by  Bates  number.     We'll  do  that  tomorrow 
in  open  court . 

THE  COURT:     All  right.      Is  there  anything 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/26/13  Afternoon  Session 


else  we  need  to  address  today  other  than  timing  and 
scheduling? 

MR.   FEIN:     No,  ma'am. 
MR .   COOMBS  :     No ,  ma'am. 

THE  COURT :     The  parties  have  talked  to  me 
about  tomorrow ' s  scheduling .     They  are  going  to  be 
arriving  at  additional  stipulations  of  expected 
testimony  and  they  need  some  time  to  do  that . 

So  we  are  going  to  be  recesses  court  today 
and  beginning  tomorrow  at  12:00,   at  noon,   to  allow  the 
parties  to  continue  to  do  what  they  need  to  do  to  get 
those  stipulations  of  expected  testimony  and  I  believe 
that ' s  all  we  need  to  discuss  with  respect  to 
scheduling;   is  that  correct? 

MR.   FEIN:     Ma'am,    it's  just  mostly  for  the 
general  public's  awareness  that  we  will  take  a  lunch 
recess  tomorrow.     So  we'll  start  at  noon  and  move 
forward. 

THE  COURT :     Okay .     So  we ' 11  all  have  eaten 
lunch  before  we  start . 

Anything  else  we  need  to  address? 
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MR.   FEIN:     No,  ma'am. 
MR .   COOMBS :     No ,   Your  Honor . 
THE  COURT :     All  right .     Court  is  in  recess 
until  noon  tomorrow . 
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